teslacrypt | 9bf59f52f58052e0644fc5d0a8e9efcc8b7db586a365bd8611228c42ed4d0332

Resubmissions

15-05-2024 07:41

240515-jjclfaff64 10

15-05-2024 07:38

240515-jgfkbafe78 4

15-05-2024 07:26

240515-h9jxrsfa2t 10

Analysis

max time kernel
136s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 07:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45193536497856842273bcf3ba3eed80_JaffaCakes118.exe
Size

360KB
MD5

45193536497856842273bcf3ba3eed80
SHA1

9936812c27e92c8f7f7183ed3a8730ea1c6e167b
SHA256

9bf59f52f58052e0644fc5d0a8e9efcc8b7db586a365bd8611228c42ed4d0332
SHA512

3ea4cb9916f01b00d7dd73fef6a9006d1c521a225037a44a136991d98db1a0abb74fbc2a09dd2905e2404ca2956382dbb274e346e84be99bdb0377a3ca44f785
SSDEEP

6144:gZtBZh5vTOAWJx4u1l05Lpm+SemsrbK9XbgwJU2WWIBReISOuO8I:Qn7vSr4+sLwRnXbg4U2WWyN

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+mosjr.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/BB82BFBA37FEEF3 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/BB82BFBA37FEEF3 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/BB82BFBA37FEEF3 If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/BB82BFBA37FEEF3 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/BB82BFBA37FEEF3 http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/BB82BFBA37FEEF3 http://yyre45dbvn2nhbefbmh.begumvelic.at/BB82BFBA37FEEF3 Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/BB82BFBA37FEEF3

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/BB82BFBA37FEEF3

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/BB82BFBA37FEEF3

http://yyre45dbvn2nhbefbmh.begumvelic.at/BB82BFBA37FEEF3

http://xlowfznrg4wf7dli.ONION/BB82BFBA37FEEF3

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (882) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	bgpytlvqwifg.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+mosjr.png	bgpytlvqwifg.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+mosjr.txt	bgpytlvqwifg.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+mosjr.html	bgpytlvqwifg.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+mosjr.png	bgpytlvqwifg.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+mosjr.txt	bgpytlvqwifg.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+mosjr.html	bgpytlvqwifg.exe

Executes dropped EXE 2 IoCs

pid	Process
3632	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cdtlhye = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\bgpytlvqwifg.exe"	bgpytlvqwifg.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 456 set thread context of 4652	456	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe	96
PID 3632 set thread context of 4560	3632	bgpytlvqwifg.exe	100

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\_ReCoVeRy_+mosjr.txt	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\_ReCoVeRy_+mosjr.html	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME.txt	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\Microsoft Office\_ReCoVeRy_+mosjr.txt	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\AttachmentPlaceholder-Dark.png	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_2019.716.2316.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+mosjr.txt	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubBadgeLogo.scale-100.png	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageWideTile.scale-100.png	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\FlagToastQuickAction.scale-80.png	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Exchange.scale-100.png	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-48_altform-unplated.png	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Toolkit\Images\dash.png	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo.png	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-white_scale-200.png	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreLogo.scale-200.png	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppPackageAppList.scale-100.png	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_TileMediumSquare.scale-100.png	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\fmui\_ReCoVeRy_+mosjr.png	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\ScreenSketchSquare71x71Logo.scale-125_contrast-white.png	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\_ReCoVeRy_+mosjr.png	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\or_IN\_ReCoVeRy_+mosjr.html	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-gb\locimages\_ReCoVeRy_+mosjr.html	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MedTile.scale-125_contrast-black.png	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\dotnet\swidtag\_ReCoVeRy_+mosjr.html	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\ShareProvider_CopyFile24x24.scale-125.png	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-30_altform-unplated.png	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Dark.scale-150.png	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailWideTile.scale-150.png	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\offlineStrings.js	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\OrientationControlMiddleCircleHover.png	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sw-KE\_ReCoVeRy_+mosjr.txt	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteWideTile.scale-125.png	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.scale-200.png	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SmallTile.scale-125_contrast-black.png	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-32_altform-unplated.png	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Views\Utilities\Styling\_ReCoVeRy_+mosjr.html	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-white\WideTile.scale-100.png	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\plugin2\_ReCoVeRy_+mosjr.html	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lg\_ReCoVeRy_+mosjr.png	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-100.png	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-20_altform-lightunplated.png	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-60.png	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Sounds\_ReCoVeRy_+mosjr.txt	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.UI.Xaml\Assets\_ReCoVeRy_+mosjr.html	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\Reference Assemblies\_ReCoVeRy_+mosjr.png	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+mosjr.html	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSplashLogo.scale-200.png	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\_ReCoVeRy_+mosjr.png	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-24_altform-unplated.png	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\ja-JP\_ReCoVeRy_+mosjr.html	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-64_altform-unplated.png	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PlaceCard\contrast-black\_ReCoVeRy_+mosjr.html	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\Common Files\System\uk-UA\_ReCoVeRy_+mosjr.txt	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\Internet Explorer\SIGNUP\_ReCoVeRy_+mosjr.html	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ja-JP\_ReCoVeRy_+mosjr.png	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomSetupDisambig_RoomScale.jpg	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptyView.scale-125.png	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\_ReCoVeRy_+mosjr.png	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\_ReCoVeRy_+mosjr.png	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\_ReCoVeRy_+mosjr.png	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-100.png	bgpytlvqwifg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\_ReCoVeRy_+mosjr.png	bgpytlvqwifg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\bgpytlvqwifg.exe	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe
File opened for modification	C:\Windows\bgpytlvqwifg.exe	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	bgpytlvqwifg.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3680	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe
4560	bgpytlvqwifg.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4652	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe
Token: SeDebugPrivilege	4560	bgpytlvqwifg.exe
Token: SeIncreaseQuotaPrivilege	3496	WMIC.exe
Token: SeSecurityPrivilege	3496	WMIC.exe
Token: SeTakeOwnershipPrivilege	3496	WMIC.exe
Token: SeLoadDriverPrivilege	3496	WMIC.exe
Token: SeSystemProfilePrivilege	3496	WMIC.exe
Token: SeSystemtimePrivilege	3496	WMIC.exe
Token: SeProfSingleProcessPrivilege	3496	WMIC.exe
Token: SeIncBasePriorityPrivilege	3496	WMIC.exe
Token: SeCreatePagefilePrivilege	3496	WMIC.exe
Token: SeBackupPrivilege	3496	WMIC.exe
Token: SeRestorePrivilege	3496	WMIC.exe
Token: SeShutdownPrivilege	3496	WMIC.exe
Token: SeDebugPrivilege	3496	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3496	WMIC.exe
Token: SeRemoteShutdownPrivilege	3496	WMIC.exe
Token: SeUndockPrivilege	3496	WMIC.exe
Token: SeManageVolumePrivilege	3496	WMIC.exe
Token: 33	3496	WMIC.exe
Token: 34	3496	WMIC.exe
Token: 35	3496	WMIC.exe
Token: 36	3496	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3496	WMIC.exe
Token: SeSecurityPrivilege	3496	WMIC.exe
Token: SeTakeOwnershipPrivilege	3496	WMIC.exe
Token: SeLoadDriverPrivilege	3496	WMIC.exe
Token: SeSystemProfilePrivilege	3496	WMIC.exe
Token: SeSystemtimePrivilege	3496	WMIC.exe
Token: SeProfSingleProcessPrivilege	3496	WMIC.exe
Token: SeIncBasePriorityPrivilege	3496	WMIC.exe
Token: SeCreatePagefilePrivilege	3496	WMIC.exe
Token: SeBackupPrivilege	3496	WMIC.exe
Token: SeRestorePrivilege	3496	WMIC.exe
Token: SeShutdownPrivilege	3496	WMIC.exe
Token: SeDebugPrivilege	3496	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3496	WMIC.exe
Token: SeRemoteShutdownPrivilege	3496	WMIC.exe
Token: SeUndockPrivilege	3496	WMIC.exe
Token: SeManageVolumePrivilege	3496	WMIC.exe
Token: 33	3496	WMIC.exe
Token: 34	3496	WMIC.exe
Token: 35	3496	WMIC.exe
Token: 36	3496	WMIC.exe
Token: SeBackupPrivilege	2080	vssvc.exe
Token: SeRestorePrivilege	2080	vssvc.exe
Token: SeAuditPrivilege	2080	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2592	WMIC.exe
Token: SeSecurityPrivilege	2592	WMIC.exe
Token: SeTakeOwnershipPrivilege	2592	WMIC.exe
Token: SeLoadDriverPrivilege	2592	WMIC.exe
Token: SeSystemProfilePrivilege	2592	WMIC.exe
Token: SeSystemtimePrivilege	2592	WMIC.exe
Token: SeProfSingleProcessPrivilege	2592	WMIC.exe
Token: SeIncBasePriorityPrivilege	2592	WMIC.exe
Token: SeCreatePagefilePrivilege	2592	WMIC.exe
Token: SeBackupPrivilege	2592	WMIC.exe
Token: SeRestorePrivilege	2592	WMIC.exe
Token: SeShutdownPrivilege	2592	WMIC.exe
Token: SeDebugPrivilege	2592	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2592	WMIC.exe
Token: SeRemoteShutdownPrivilege	2592	WMIC.exe
Token: SeUndockPrivilege	2592	WMIC.exe
Token: SeManageVolumePrivilege	2592	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 456 wrote to memory of 4652	456	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe	96
PID 456 wrote to memory of 4652	456	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe	96
PID 456 wrote to memory of 4652	456	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe	96
PID 456 wrote to memory of 4652	456	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe	96
PID 456 wrote to memory of 4652	456	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe	96
PID 456 wrote to memory of 4652	456	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe	96
PID 456 wrote to memory of 4652	456	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe	96
PID 456 wrote to memory of 4652	456	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe	96
PID 456 wrote to memory of 4652	456	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe	96
PID 456 wrote to memory of 4652	456	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe	96
PID 4652 wrote to memory of 3632	4652	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe	97
PID 4652 wrote to memory of 3632	4652	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe	97
PID 4652 wrote to memory of 3632	4652	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe	97
PID 4652 wrote to memory of 2168	4652	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe	98
PID 4652 wrote to memory of 2168	4652	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe	98
PID 4652 wrote to memory of 2168	4652	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe	98
PID 3632 wrote to memory of 4560	3632	bgpytlvqwifg.exe	100
PID 3632 wrote to memory of 4560	3632	bgpytlvqwifg.exe	100
PID 3632 wrote to memory of 4560	3632	bgpytlvqwifg.exe	100
PID 3632 wrote to memory of 4560	3632	bgpytlvqwifg.exe	100
PID 3632 wrote to memory of 4560	3632	bgpytlvqwifg.exe	100
PID 3632 wrote to memory of 4560	3632	bgpytlvqwifg.exe	100
PID 3632 wrote to memory of 4560	3632	bgpytlvqwifg.exe	100
PID 3632 wrote to memory of 4560	3632	bgpytlvqwifg.exe	100
PID 3632 wrote to memory of 4560	3632	bgpytlvqwifg.exe	100
PID 3632 wrote to memory of 4560	3632	bgpytlvqwifg.exe	100
PID 4560 wrote to memory of 3496	4560	bgpytlvqwifg.exe	101
PID 4560 wrote to memory of 3496	4560	bgpytlvqwifg.exe	101
PID 4560 wrote to memory of 3680	4560	bgpytlvqwifg.exe	106
PID 4560 wrote to memory of 3680	4560	bgpytlvqwifg.exe	106
PID 4560 wrote to memory of 3680	4560	bgpytlvqwifg.exe	106
PID 4560 wrote to memory of 3980	4560	bgpytlvqwifg.exe	107
PID 4560 wrote to memory of 3980	4560	bgpytlvqwifg.exe	107
PID 3980 wrote to memory of 3100	3980	msedge.exe	108
PID 3980 wrote to memory of 3100	3980	msedge.exe	108
PID 4560 wrote to memory of 2592	4560	bgpytlvqwifg.exe	109
PID 4560 wrote to memory of 2592	4560	bgpytlvqwifg.exe	109
PID 3980 wrote to memory of 2584	3980	msedge.exe	111
PID 3980 wrote to memory of 2584	3980	msedge.exe	111
PID 3980 wrote to memory of 2584	3980	msedge.exe	111
PID 3980 wrote to memory of 2584	3980	msedge.exe	111
PID 3980 wrote to memory of 2584	3980	msedge.exe	111
PID 3980 wrote to memory of 2584	3980	msedge.exe	111
PID 3980 wrote to memory of 2584	3980	msedge.exe	111
PID 3980 wrote to memory of 2584	3980	msedge.exe	111
PID 3980 wrote to memory of 2584	3980	msedge.exe	111
PID 3980 wrote to memory of 2584	3980	msedge.exe	111
PID 3980 wrote to memory of 2584	3980	msedge.exe	111
PID 3980 wrote to memory of 2584	3980	msedge.exe	111
PID 3980 wrote to memory of 2584	3980	msedge.exe	111
PID 3980 wrote to memory of 2584	3980	msedge.exe	111
PID 3980 wrote to memory of 2584	3980	msedge.exe	111
PID 3980 wrote to memory of 2584	3980	msedge.exe	111
PID 3980 wrote to memory of 2584	3980	msedge.exe	111
PID 3980 wrote to memory of 2584	3980	msedge.exe	111
PID 3980 wrote to memory of 2584	3980	msedge.exe	111
PID 3980 wrote to memory of 2584	3980	msedge.exe	111
PID 3980 wrote to memory of 2584	3980	msedge.exe	111
PID 3980 wrote to memory of 2584	3980	msedge.exe	111
PID 3980 wrote to memory of 2584	3980	msedge.exe	111
PID 3980 wrote to memory of 2584	3980	msedge.exe	111
PID 3980 wrote to memory of 2584	3980	msedge.exe	111
PID 3980 wrote to memory of 2584	3980	msedge.exe	111
PID 3980 wrote to memory of 2584	3980	msedge.exe	111

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bgpytlvqwifg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	bgpytlvqwifg.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\45193536497856842273bcf3ba3eed80_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\45193536497856842273bcf3ba3eed80_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:456
- C:\Users\Admin\AppData\Local\Temp\45193536497856842273bcf3ba3eed80_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\45193536497856842273bcf3ba3eed80_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Windows\bgpytlvqwifg.exe
    C:\Windows\bgpytlvqwifg.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3632
  - - C:\Windows\bgpytlvqwifg.exe
      C:\Windows\bgpytlvqwifg.exe
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:4560
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3496
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:3680
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3980
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcc9bc46f8,0x7ffcc9bc4708,0x7ffcc9bc4718
        6⤵
        
        PID:3100
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,7380281511902450657,11391679965683525314,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
        6⤵
        
        PID:2584
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,7380281511902450657,11391679965683525314,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
        6⤵
        
        PID:3160
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,7380281511902450657,11391679965683525314,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8
        6⤵
        
        PID:2060
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,7380281511902450657,11391679965683525314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
        6⤵
        
        PID:1944
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,7380281511902450657,11391679965683525314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
        6⤵
        
        PID:2480
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,7380281511902450657,11391679965683525314,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:8
        6⤵
        
        PID:212
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,7380281511902450657,11391679965683525314,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:8
        6⤵
        
        PID:2820
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,7380281511902450657,11391679965683525314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
        6⤵
        
        PID:3912
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,7380281511902450657,11391679965683525314,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1
        6⤵
        
        PID:1916
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,7380281511902450657,11391679965683525314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:1
        6⤵
        
        PID:1532
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,7380281511902450657,11391679965683525314,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
        6⤵
        
        PID:660
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\BGPYTL~1.EXE
        5⤵
        
        PID:2924
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\451935~1.EXE
    3⤵
    PID:2168

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2080

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4500

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+mosjr.html

Filesize
12KB

MD5
f698cd2067c3d544ba2daa28981f764e

SHA1
56cf6ace3bf6fc92c543ac785ee4246485f7a0fc

SHA256
2f4bab5ec369fc1f38e83e98efa136e95f52f75921a3335bcfe36f738d970619

SHA512
0928eed0742658158b1dbbb2a5b3f0d43ee0b87292b3fc14e710ab1eec2126247c50f6417d557ead41177ca27481ef6fe7407c8b13e7a298491f54e96cd6eab5

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+mosjr.png

Filesize
63KB

MD5
8fe8d6f353c9ceeb74090b22ad249ec5

SHA1
da83dc21ef28f9e70a81a50adb5eb770377dd87d

SHA256
c8c3f50824cf15bbb766db351823c10c61bff4981fef1623a6c5666ca27562ce

SHA512
a05f296cba4385f1a3cbcd4a0e54c2f6b862b0cfbfe6cede82498da6a8076c9193a5abfb5de3d8cf939a01b772d015ab5d4ee5178305c729084d34d60cdbdda1

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+mosjr.txt

Filesize
1KB

MD5
ea6f30c6883cf62f6f690062e9782a66

SHA1
cb926211e0e3d2b22b4a46dcb9e6ff432316161f

SHA256
ef0c3584f46c3860a0351c9b199bbde101eedefbdf47568bf66d3e7b5e0bf6c3

SHA512
4e2fa35fae1e219487f6f90e8f603926369ab84a2744c9d1cbac8bed07de813f129c35145267239b72a2c51cd4ee77007261f58db5265c26c54598c8328daadb

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
2642179f6cd4d3a2e8d7fd3b73bafc05

SHA1
7863070c9437147b83404e044b1a1df4c18bd6b5

SHA256
a4c8eae1bc2eefa958f29360fd90931c9efed79e89b91e6208935003e872214a

SHA512
6971588fc1186b98359c1e9aefb5d18d9dca430063fa4b09bc06622a4b5b1925a8199b4f6faf1d78091829cff3ed6d1812e5018982a58e6c28ff0f5195f3c88c

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
22d413eaa2da4b9845d4b902948f1fb0

SHA1
0e401a6fceb1f5d1089143ac0419dac4c82f5579

SHA256
c830d0e2c66c8ac54cb53590a6a2b0e0f3e8696676f3830957d8b5c222ed8392

SHA512
46d8959e28c25434ec5622e3407047fd6c249c0d1fde9fe693628e9b7fc270d5be6ad1ea0f32145370a2e5b17ce721ac8960c4ea8f5e9f581e2c6ea1fb6b2b75

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
cb61a84bbe48dca4921319e5430b31c3

SHA1
8085635ac5c8288410b7734f9e4a47542e1a57cc

SHA256
94362ddb11969b5d7e79a91714d65d1ed84edf5c223076baae66c911c0b006a0

SHA512
6893a83e85396cce1ca79dfa4d683faeee39c6cbaa8d6ef60b9cf33dc80c132bae8306482b124720a3403d0da6a1c28dc56d53beca13f8f4b25844888225af87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eaa3db555ab5bc0cb364826204aad3f0

SHA1
a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca

SHA256
ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b

SHA512
e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4b4f91fa1b362ba5341ecb2836438dea

SHA1
9561f5aabed742404d455da735259a2c6781fa07

SHA256
d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c

SHA512
fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d64281e9e7a9598996472a61db989cfe

SHA1
61a739cdd6c06c9455b7c59990b33e0b5c09efbc

SHA256
938f7205d22221c64f60ffae642df1ed41e839f10cd3b84d87613062cc83bfc2

SHA512
afe7e97f86cc92fff363a4ae2e0a0094bdac52b20724674f21d6458055be5cda8f647bde811c739cc259e318b1f591c2967104e3a187d2c4455cf2d99c7cc3c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e3014f7dc26e430db04b48919b0bf7f9

SHA1
99f3fd2c1b4ec689e5e5684673d66039f7661e2f

SHA256
441bd3cbf3ecc8af99533e6746b79cb5b277ed3abc1f8fef8105eba892186c04

SHA512
c98f067b5ba4c7b3bd8c234bb97b4594f42e24b263a11aa08fea45509df679e86231a2d515ef028a0b3c60cb89ed0549e00a81dc3a66b1556c04874f26d8c593

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4cfc444da5c1a1e3a77559baeba7cb48

SHA1
88a34c8e8332ee71f7abf55cf61628d5009ccd3a

SHA256
319ecdc9e3ea24c52946b96afff3ef3fc0047d08fc5ef16bb5b39520274ba9c9

SHA512
9715529d5b30e9648455ba0d4c765bb6ed28512ec525af65b5e22df0f77ea2a237ae7ec70d3dc891eceadcefde4683cc9011a6493186e70e1665ed8bfca75ca3

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596380890952339.txt

Filesize
47KB

MD5
98a8207507b811de887055ffde388a9a

SHA1
cb48428dedec764e153f453d460b3867d71f2c8c

SHA256
08ed4cfcbf58cdda41fa1691dcd1355592dd1afeec9a2a8b610a29fc82f2c1b4

SHA512
f2145046fc8b1fe643116b0a3a8ea4cb191ffa139365e66ca14d349321f93b99d281ea3593a45793cc00bcb1176fc809149a0e427afa01694672d1ee4b732028

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596427278316214.txt

Filesize
75KB

MD5
b20c98d9134b570e7128ff626d7ef117

SHA1
ab2fc4e268f6bf3376211333ed9ca0b71c43511e

SHA256
ad67797fc713c01986d1642ce925890a1609dc4459749d864b43a383fec1ec22

SHA512
886e14329f3bd14994a071bb3cb23f0e92854dec30f88ffb73f7bac38474e2246f39b4c86f846dd94fe7d3519b9f0912477ee3202df34ca27d399696363058e4

Download Submit
C:\Windows\bgpytlvqwifg.exe

Filesize
360KB

MD5
45193536497856842273bcf3ba3eed80

SHA1
9936812c27e92c8f7f7183ed3a8730ea1c6e167b

SHA256
9bf59f52f58052e0644fc5d0a8e9efcc8b7db586a365bd8611228c42ed4d0332

SHA512
3ea4cb9916f01b00d7dd73fef6a9006d1c521a225037a44a136991d98db1a0abb74fbc2a09dd2905e2404ca2956382dbb274e346e84be99bdb0377a3ca44f785

Download Submit
memory/456-0-0x0000000000760000-0x0000000000764000-memory.dmp

Filesize
16KB

Download
memory/456-4-0x0000000000760000-0x0000000000764000-memory.dmp

Filesize
16KB

Download
memory/456-1-0x0000000000760000-0x0000000000764000-memory.dmp

Filesize
16KB

Download
memory/3632-12-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/4560-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4560-10472-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4560-5627-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4560-271-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4560-24-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4560-9214-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4560-10462-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4560-10463-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4560-10471-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4560-2759-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4560-21-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4560-18-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4560-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4560-10511-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4652-15-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4652-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4652-5-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4652-3-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4652-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download